Pharmacy Spam Blogs At U.S. Nuclear Safety Lab

The Web site for the institution charged with safeguarding the safety and integrity of the U.S. nuclear arsenal has been inadvertently hosting advertisements and blogs that link to illegal prescription drug sites hawking everything from generic painkillers to erectile dysfunction medication, Security Fix has learned.

Dozens of pages belonging to the official Web site of Lawrence Livermore National Labs appear to have been seeded with the unauthorized advertisements. Beneath each of the full-page ads were a series of blog entries that featured a bizarre mixture of information, including what appears to be ill-translated gibberish interspersed with information that is actually relevant to the advertised drugs.

Security Fix located the pharmacy spam pages by conducting a series of simple Google searches, such as this one.

The sites are all now inactive, and it's not entirely clear how long they were up. According to the oldest date on the time-stamped blog entries, the attackers first began planting the ads and blog posts as early as March 2007.

Update, 11:01 a.m., Aug. 27: After this blog post was published, a source of mine pinged me to say that until this past weekend, several pages on the Lawrence Livermore site were redirecting visitors to other sites that tried to take advantage of Web browser security flaws to install malicious software. These weren't just hyperlinks inserted into an existing page on the government site: They were clearly pages on the government server that were created by malicious attackers, the source said.

It's too easy to incorrectly infer from this article that the site was the specific target of the attack or had its security compromised. These sort of spam advertisements appear on most every blog that uses any popular blogging applications. They're the result of applications that crawl the net and post URLs to the comment section as a way of upping the Google placement of sketchy (at best) businesses.

It's a comment posting, and not any sort of security violation whatsoever. Clearly, the folks running the blog need to be more attentive about screening and removing spam, but it's hardly news or worry-worthy.

I think this article is going to give many folks an inaccurate impression. There's certainly room for clearer reporting and better context.

JohnW, I don't think it's actually clear from the search results that the messages were blog comment spam, which is normally open to the world. If they are in fact blog-related, which is questionable, they look more like actual blog postings, which typically require some form of authentication, unlike comments.

has been burned several times when we have not kept our software up to date and a vulnerability is discovered. On the other hand, we don't share LLNL's mission of being "responsible for ensuring that the nation's nuclear weapons remain safe, secure, and reliable". At least it is somewhat reassuring that the compromised LLNL sites are not directly involved with the core mission of nuclear safety, but focused on conferences, speech research and publicity.

Since we were last hacked in early July, we've been monitoring visits to our web site that seem suspicious and see many attempts every day to gain access, typically through crude password guessing and more sophisticated SQL injection attempts.

burke> If the WashPost website was hacked, would you consider that a reflection on the news gathering and editorial functions of the paper?

[Setting aside the fact that the Post's newsgathering organization is actually different from the organization that provides the Post's web presence,] if the Post's web site were defaced, one would regard that as evidence of poor security practices by the Post's IT personnel, and thus one would be concerned about other compromises that are not as evident as a defacement, and how those could lead to false reporting or other disruption of the Post's mission, since the Post fundamentally relies on IT for everything it does. Obviously.

You appear to be missing the fact that these messages look like actual blog postings, not merely comment spam. It would be unusual for a blog to be set up to allow posting of actual blog entries by the general public.

Perhaps these forms posted content into the site, or perhaps the CGIs
handling those form submissions had a vulnerability.

An alternative explanation is suggested by the presence of "svn" in a
number of the URLs; "svn" is a standard abbreviation for the version
control system Subversion, and this implies that a misconfigured
Subversion installation could have been abused to upload unauthorized
content. For more information on Subversion, see:

This is just hilarious. With all due respect to tim finin, anyone who doesn't update their servers (at least when they're being paid HUGE loads of cash for it) when vulnerabilities are found just needs to be fired, shot, and burnt. And please don't use "I didn't know about the updates" as an excuse, if I can subscribe to all the security mailing lists then so can the LLNL.

But to be honest the hack isn't even so bad - what's worse is that they seem to not have bothered to make an audit for many months. Even the best security - and one should be able to assume to find nothing less at the LLNL - can be breached, but anyone who assumes their security is perfect - again - needs to be fired, shot, and burnt.

Then again, this is nothing compared to the holes I have to witness (I report them, and then get in trouble for reporting them..) at my employer, a MAJOR company that seems to not care in the slightest about actual security, as long as they follow their (useless) policies.